Vidar

Arkei is an information stealer Trojan that was first identified in December 2018. It is either a fork of Vidar or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

  • Type
    Trojan
  • Origin
    ex-USSR
  • First seen
    1 December, 2018
  • Last seen
    21 November, 2019
Also known as
Arkei
Global rank
20
Week rank
12
Month rank
18
IOCs
501

What is Arkei malware?

Arkei is an information stealer Trojan that was first identified in December 2018. It is either a fork of Vidar or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Arkei

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Arkei malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Arkei execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command line command.

How to avoid infection by Arkei?

When spread via spam email campaigns, Vidar requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Arkei

Like other malware, Arkei/Vidar is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
88.99.66.31
208.95.112.1
208.95.112.1
18.205.93.1
18.205.93.0
209.141.33.126
18.205.93.2
45.144.2.189
83.166.246.154
83.166.246.154
185.212.130.11
45.139.236.12
92.119.113.254
192.169.7.223
107.189.10.110
185.99.133.91
83.166.248.112
83.166.245.141
176.119.156.4
18.188.94.183
Hashes
2d4190ad4489a75c3fe5c3e45c162a36578a8351848d7a8674ff9379a124b3a2
5d170b193e01dd93981d73028ac970cb8f12f35b2ba5193e53be4340b9c05c7c
9208f504dc91b46e9023c907b1a1024f32c71eaa7fda580923f2bede77d55392
51795b3080d1c59cc72cba241dcb52a6ac9db4c4298344a491d9ed4925f57208
74dc818d3f8977d6f9f5ab7477328efc88d405bf65a032bd6dc713425d61c81c
7ae5041182c8c1bfcc3b713ebe185794b59e5c7e702e636c8d680ac3ca5a3440
c772d3cc812cd0cd7bb62b002df3be654574098a3ef4683cb5c807bcbbe8b861
741827f64b48b35fdcd9309056d59c5ba054c551103d6a8d7f4e3664887a0672
821561d47020cc7b0af098a7ae99888ed5a515a2a62613530841d4a5423cb0cf
cd1ce709fabcd8312470553e6c9a78336631c0c2cdcb7489dfbd8f5bd3ce5130
f920981424373e383dcebf2aaecc06c678257ebd3e669f6eb2783f2e9d4425fb
43b42c8d2fc01ee64bcd6ddf3d005216049917acb08ef9feb5a84b222775aae9
12ec970a6ba2519765a72a3ab4a832290c98ed143cbf26af698db0a93d475f10
1c74add22536cd48afd35130b5c8e2904af5485aa0ee46aa9af9cb1793ab3bf4
2b2697a0a26e746b6dd27d3aee7b126f6b72a09d8bf52961203a849b043d8fbd
56b0275575a90305ebd8f22dc5e7ece28227ef24e3d070d3ce72464e5a98a98d
18334bf61f0a168c1a7246f188daf650d24b6c53f76db3685cabaf1d106da448
f56ed0b216de67168041ec3207f220aeced6026408ce31b5345de8ec15b01742
38fa0da60aff59d078feaf9e375092a3c1dbac072554d0a47234f9eca388c191
8649d73ceaa6483715cf62a65ce57780e8fe73ebafc557ab42a21364af8f1c39
Domains
2no.co
demo.ip-api.com
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
maper.info
elx01.knas.systems
longvoyages.com
steerdemens.com
starlikespace.org
qxq.ddns.net
ezstat.ru
gocleaner-bar.tech
allseasongudinc.tech
cleaner-ge.hk
trafic-media.ru
iplo.ru
yip.su

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More